a1b2f2c802ab7a9c1dc6a75b742a66bb59611d7613bbec802567757de2e125c0

Analysis

max time kernel
97s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 21:19

Target

a1b2f2c802ab7a9c1dc6a75b742a66bb59611d7613bbec802567757de2e125c0.dll
Size

276KB
MD5

e8eb1bbff846dd5ce388a60f1f732bb9
SHA1

19406a76b66671c6aefe62d33ada9b405d66fb9e
SHA256

a1b2f2c802ab7a9c1dc6a75b742a66bb59611d7613bbec802567757de2e125c0
SHA512

517096ae5f1220a4819da35ffb9c3b20e64645f4e206475940b7db56940059e338f72796ddbc3e478feb8ec1d3223c4404e6dc405698ede5db6a96d39e2fc28e
SSDEEP

6144:LKzLgqEH3/wTu9daCUJNaiND98FWK6pJYqMOQGcFHHv8oSm:+zL/S3/wTuaCh4Da1OQGcFnv8oSm

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1224-133-0x0000000010000000-0x00000000100A2000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3456	1224	WerFault.exe	78

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1224	1064	rundll32.exe	78
PID 1064 wrote to memory of 1224	1064	rundll32.exe	78
PID 1064 wrote to memory of 1224	1064	rundll32.exe	78

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1b2f2c802ab7a9c1dc6a75b742a66bb59611d7613bbec802567757de2e125c0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1b2f2c802ab7a9c1dc6a75b742a66bb59611d7613bbec802567757de2e125c0.dll,#1
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 568
    3⤵
    - Program crash
    PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1224 -ip 1224
1⤵
PID:3184

memory/1224-133-0x0000000010000000-0x00000000100A2000-memory.dmp

Filesize
648KB

Download